99.7% of Android phones leak user account credentials

According to a report by German researchers, some 99.7% of Android devices in circulation are vulnerable to an attack that could compromise sensitive data transmitted over a wireless network connection.…

There is no perfect fix... this is no better than a person downloading an app with a key logger.

The truth is that sooner or later... the development API will have to allow users to be promted, control what aspects of the informtion stored on the device can be touched by an application. If users stick to app stores that are managed by big enough or trusted sources it should at least mitigate most of the fuss.

Wireless devices and our data always hovering over the ether is scarry enought!

I noticed today that I had apparently sent emails with links to "medicine" sites, when I had not done such a thing. My only culprits were my College and my own Computer, but now it seems my phone is to blame.

BrianUMR said:
The 0.3 % are the phones with Gingerbread on them. Which is like the Google Nexus S. It is pretty much saying Gingerbread is only on 0.3% of phones.

Click to expand...

So what you're saying is this is a virus released by Samsung to boost sales? =)

This is really going to force phone companies to have to start taking some stances as far as OS updates are concerned. You can't let the manufacturers drag their feet. Now phone companies are going to need to start taking some responsibility in allowing their customers to have their phones upgraded to the latest version. You can't have the average customer rooting their phone or doing some other crazy nonsense. This is a critical system patch that needs to be applied pronto.

This year is turning out to be a very interesting one in this particular sector.

I am not because I am still stuck with SGS running Froyo. Although I never use any open/public wifi spot. Funny thing is almost every android application wants to have some sort of privilege access; which is not only dangerous but reckless on the part of Google + developers. Oh and Mathew, I beat you to it

Archean said:
I am not because I am still stuck with SGS running Froyo. Although I never use any open/public wifi spot. Funny thing is almost every android application wants to have some sort of privilege access; which is not only dangerous but reckless on the part of Google + developers. Oh and Mathew, I beat you to it

Click to expand...

Yeah I don't really get why so many applications need so many different privileges. I can find games that pretty much do the same thing and some need next to nothing and other want everything.

Archean said:
I am not because I am still stuck with SGS running Froyo. Although I never use any open/public wifi spot. Funny thing is almost every android application wants to have some sort of privilege access; which is not only dangerous but reckless on the part of Google + developers. Oh and Mathew, I beat you to it

Click to expand...

Since Android doesn't give users root access as default, the privilege access most apps ask for can only be of a high level type. Most of it is "can Iz access the interwebz?" since people won't want unnecessary data charges from some game they've downloaded downloading additional resources over their 3G connection. I don't think this is particularly reckless of Google. What might be reckless is the level of checking of apps submitted to the Android Market, anything related to user authentication should never be over http . This is where the problem could lie, not the privilege access app ask for, at least in my opinion.

Fair enough, but recklessness it is as what I was also inferring that why on earth a game would want to have access to your contacts? or logs? In addition to that remember all those malware carrying apps in the market?

Oh by the way I recommended DHD to a friend who was hell bent on buying an android cell, and guess what, after 2 weeks he returned it

Your title is misleading. In order the user has to download the application first. Of the percentages of people who download apps on the market, your small percent (probably less than 1%) are at risk. This proves your title is incorrect.

So what he is saying is that if someone has access to your cookies then he can access yout stuff, and one can sniff it while its going through network. Well in that case 100% iPhone and 100% of Windows have this issue. I want to know which 0.3% of android phones don't have this issue, I am sure there are none.

Archean said:
I am not because I am still stuck with SGS running Froyo. Although I never use any open/public wifi spot. Funny thing is almost every android application wants to have some sort of privilege access; which is not only dangerous but reckless on the part of Google + developers. Oh and Mathew, I beat you to it

Click to expand...

Since Android doesn't give users root access as default, the privilege access most apps ask for can only be of a high level type. Most of it is "can Iz access the interwebz?" since people won't want unnecessary data charges from some game they've downloaded downloading additional resources over their 3G connection. I don't think this is particularly reckless of Google. What might be reckless is the level of checking of apps submitted to the Android Market, anything related to user authentication should never be over http . This is where the problem could lie, not the privilege access app ask for, at least in my opinion.

The article notes that many applications can send such data over an unencrypted HTTP connection, making it easy for unsavory types to obtain the authToken with software utilities such as Wireshark, which can then be used to access your information.

Click to expand...

Am I the only one seeing this as not an Android problem but a application developer one? I suppose Google can require all authTokens use SSL, but that's still not going to stop a badly developed application from broadcasting your password. I'd hate to think that you'd need to wireshark your phone after every app you install, but if you're really serious about these type of flaws, you'd at least want to read reviews of apps that include this type of checking first. And if you've rooted or jailbreak your phones, then its 100% your responsibility and not the manufacturers.

The same thing happened to me 2 days ago, but on my Iphone. Those went out from my hotmail account that I running on the phone. I'll never join an unsecured wireless node ever again. Had to have Microsoft wipe my account.

When you get a new android phone, look at the application section and uninstall all apps that requires more permissions then: local storage, geo location, internet access, get phone state. Do this and you have no worries. When installing apps always check permissions such as Twitter app requires you first unborn child access while TweetCaster app does the same thing with only storage, internet and gps (for char near by) access. Don't just blindly install apps, look at the permissions it requires and you will be surprised how you can find many alternatives to the same app which requires far less access. At the end of the day I will always choose android over iPhone mainly because droid is openMarket which gives power to people not the companies and their rules and their fat wallet. -- Saimon Lovell